Symptoms

The production environment cannot make any changes in Active Directory when executing a SmartObject method. The error received in SmartForms is as follows:

User could not be updated. An Active Directory error has occurred. Details: LDAP Message LDAP_OPERATIONS_ERROR Description Operation error occurred.

A similar error occurs when executing the same method in the SMO-Tester-Tool:

The server could not be contacted. Service: Account Management Service
 

Diagnoses

So by analysing the error messages and -logs above, we tried to find out if K2 just couldn't contact the AD server or if it had something to do with permissions. We enabled SmartObject logging to get more details on this error, but it turns out the error was related to the Dynamic ADSO Service Broker, which is a custom service broker that can be downloaded from the K2 Marketplace.

However, the error also occurs in the Account Management Service Instance so it is probably related to the way K2 connects to Active Directory.
 

Resolution

The resolution of this issue is not entirely clear but it seems to be permissions related. There is K2 documentation that specifies the account used to access and make changes in Active Directory (like adding/editing users) should have at least Account Operator permissions. But if you can't give those permissions due to company policies or restrictions, then there are other ways around this, by using the "Delegation of Control Wizard" in "Active Directory Users and Computers" on a specific OU for example and give the account read/write permissions.